Privacy Compliance Checklist for Australian Businesses (2026)

How to use this checklist

Work through each section and mark where your business stands: compliant, partially compliant, or not addressed. Any item marked "not addressed" is a gap that needs immediate attention. Any item marked "partially compliant" needs a plan and timeline to reach full compliance.

This checklist covers the Australian Privacy Act 1988, the Notifiable Data Breaches scheme, and relevant provisions of the Cyber Security Act 2024.

Section 1 — Governance and accountability

• Privacy policy: You have a current, published privacy policy that accurately describes your data practices — what you collect, why, how it's used, who it's shared with, and how individuals can access or correct their information
• Privacy policy accessibility: Your privacy policy is freely and easily accessible — linked from your website footer, available on request, and written in plain English
• Privacy officer: Someone in your organisation is designated as the point of contact for privacy matters — even if it's not their full-time role
• Staff training: All employees who handle personal information have received privacy training appropriate to their role — and this training is refreshed at least annually
• Third-party contracts: Your contracts with service providers (cloud, SaaS, marketing, accounting) include privacy obligations — especially for data stored or processed overseas (APP 8)

Section 2 — Data collection

• Collection limitation: You only collect personal information that's reasonably necessary for your business functions — no "just in case" data fields on forms
• Collection notice: At or before the time of collection, you inform individuals about who you are, why you're collecting their data, and what you'll do with it
• Consent: Where required, you obtain informed consent before collecting personal information — and you can demonstrate how that consent was obtained
• Sensitive information: If you collect sensitive information (health, biometric, racial, religious, sexual orientation, criminal record), you have explicit consent and a lawful basis
• Children's data: If you collect information from individuals under 18, you have appropriate protections and parental consent mechanisms in place

Section 3 — Data storage and security

• Data inventory: You know what personal information you hold, where it's stored (physical and digital locations), and who has access to it
• Access controls: Access to personal information is restricted to employees who need it for their role — principle of least privilege
• Encryption: Personal information is encrypted at rest (stored) and in transit (transmitted) — particularly for cloud storage, email, and backups
• Multi-factor authentication: MFA is enabled on all systems that store or provide access to personal information
• Patching: Operating systems, applications, and firmware are patched within 48 hours for critical vulnerabilities and within two weeks for non-critical updates
• Backups: Regular backups of personal information are maintained, tested for recoverability, and stored separately from production systems
• Physical security: Physical documents containing personal information are stored in locked cabinets with controlled access
• Device security: Laptops, phones, and portable media that may contain personal information have encryption, remote wipe capability, and strong authentication

Section 4 — Data use and disclosure

• Purpose limitation: Personal information is used only for the purpose it was collected for — or a directly related secondary purpose the individual would reasonably expect
• Direct marketing: Marketing communications are only sent with appropriate consent, every message includes an unsubscribe mechanism, and opt-out requests are honoured promptly
• Cross-border disclosure: If personal information is transferred overseas (including through US-based SaaS tools like Mailchimp, HubSpot, or Salesforce), you've taken reasonable steps to ensure the overseas recipient handles it in accordance with the APPs
• Government identifiers: You don't use government-issued identifiers (TFN, Medicare number) as your own customer identifiers

Section 5 — Data retention and destruction

• Retention policy: You have a documented policy specifying how long different types of personal information are retained — based on business need and legal requirements
• Destruction procedures: When personal information is no longer needed, it's securely destroyed or de-identified — not just deleted from one system while remaining in backups, email archives, and third-party tools
• Account closure: When a customer closes their account or ends their relationship, you have a process to identify and remove their personal information within a reasonable timeframe

Section 6 — Individual rights

• Access requests: You have a process to respond to access requests within 30 days — individuals can ask what personal information you hold about them
• Correction requests: You have a process to correct inaccurate, out-of-date, incomplete, or misleading personal information when requested
• Complaints handling: You have a documented process for handling privacy complaints — including acknowledgment, investigation, and response timeframes
• Anonymity option: Where practical, individuals can interact with your business without identifying themselves or by using a pseudonym

Section 7 — Breach preparedness

• Breach response plan: You have a documented data breach response plan with clear roles, escalation procedures, and decision trees for assessing whether a breach is "eligible" under the NDB scheme
• Notification templates: Pre-drafted notification templates are ready for OAIC submission and individual notification — customisable but legally compliant
• Contact list: Your breach response plan includes up-to-date contact details for your response team, legal advisors, IT support, the OAIC, and relevant regulators
• Ransomware reporting: If ransomware is a risk scenario for your business, you understand the 72-hour reporting requirement under the Cyber Security Act 2024
• Tabletop testing: You've conducted at least one breach simulation exercise in the past 12 months to test your response plan
• Documentation: Your plan includes procedures for documenting every action taken during a breach response — the OAIC will ask for this during any investigation

Section 8 — Ongoing compliance

• Privacy impact assessments: Before launching new products, services, or systems that handle personal information, you assess the privacy risks
• Regular review: Your privacy policy, data practices, and security controls are reviewed at least annually — or when significant changes occur
• Vendor review: Third-party service providers with access to personal information are reviewed periodically for privacy and security compliance
• Regulatory monitoring: You track changes to the Privacy Act, OAIC guidance, and related legislation (Cyber Security Act 2024, proposed reforms)

Scoring your readiness

Count your results across all eight sections:

• Fully compliant on 80%+ items: Strong foundation — focus on closing remaining gaps and maintaining compliance over time
• Fully compliant on 50–80% items: Material gaps exist — prioritise breach preparedness (Section 7) and data security (Section 3) first
• Fully compliant on fewer than 50% items: Significant exposure — a structured privacy programme is needed. Start with a professional privacy health check to identify the most critical gaps